When to ldap?
Dean, Barry
B.Dean at liverpool.ac.uk
Thu May 13 11:05:02 CEST 2010
On 13 May 2010, at 06:54, Alan DeKok wrote:
> Dean, Barry wrote:
>> I am working on a new radius config and have been trying to avoid the lookup in LDAP I have been seeing for the outer identity.
>>
>> I have moved to 2.1.8 with the inner-tunnel virtual host enabled.
>>
>> I have an authorise section for the relevant virtual server that has:
>
> *which* virtual server?
I have 3 virtual servers on this host, one is for just local authentication, one is for the JANET Roaming Service and one is for our local Guest Wireless service. The config section I posted was from the local auth virtual server.
Complete config:
# Local auth
#
server radius {
listen {
ipaddr = <server ip>
port = 0
type = auth
}
listen {
ipaddr = <server ip>
port = 0
type = acct
}
proxy_requests = no
$INCLUDE local-clients.conf
authorize {
preprocess
auth_log
if ("%{User-Name}" =~ /forbidden/i) {
update reply {
Reply-Message = "Cannot use this user account"
}
reject
}
chap
mschap
suffix
eap {
ok = return
}
files
if (!EAP-Message) {
ldap
}
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
unix
Auth-Type LDAP {
ldap
}
Auth-Type EAP {
eap
}
eap
}
preacct {
preprocess
acct_unique
suffix
files
}
accounting {
detail
unix
radutmp
attr_filter.accounting_response
}
session {
radutmp
}
post-auth {
Post-Auth-Type REJECT {
attr_filter.access_reject
}
reply_log
}
pre-proxy {
pre_proxy_log
}
post-proxy {
eap
post_proxy_log
}
}
>
>> The "if(!EAP-Message)" works a treat at preventing an LDAP lookup for the outer identity, but if I want to send a basic User-Name/User-Password type auth request after checking with LDAP and returning "Remote access is permitted", I then see:
>>
>> No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
>
> And the *rest* of the debug log says.... ?
Complete log is:
rad_recv: Access-Request packet from host 192.168.0.10 port 63775, id=111, length=49
User-Name = "user"
User-Password = "password"
NAS-IP-Address = 192.168.0.10
server radius {
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: /log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /log/radacct/192.168.0.10/auth-detail-20100513
[auth_log] /log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /log/radacct/192.168.0.10/auth-detail-20100513
[auth_log] expand: %t -> Thu May 13 09:47:31 2010
++[auth_log] returns ok
++? if ("%{User-Name}" =~ /forbidden/i)
expand: %{User-Name} -> user
? Evaluating ("%{User-Name}" =~ /forbidden/i) -> FALSE
++? if ("%{User-Name}" =~ /forbidden/i) -> FALSE
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "user", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "user"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap-eduroam] No EAP-Message, not doing EAP
++[eap-eduroam] returns noop
++[files] returns noop
[ldap] performing user authorization for user
[ldap] expand: %{Stripped-User-Name} -> user
[ldap] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=user)
[ldap] expand: OU=UOL,DC=adserver,DC=liv,DC=ac,DC=uk -> OU=UOL,DC=adserver,DC=liv,DC=ac,DC=uk
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to adserver.liv.ac.uk:389, authentication 0
[ldap] bind as CN=radius-account,OU=Service Accounts,OU=UOL,DC=adserver,DC=liv,DC=ac,DC=uk/special-password to adserver.liv.ac.uk:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] performing search in OU=UOL,DC=adserer,DC=liv,DC=ac,DC=uk, with filter (sAMAccountName=user)
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?
[ldap] user user authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
Failed to authenticate the user.
Login incorrect: [user] (from client EZProxy port 0)
} # server radius
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> user
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 192.168.0.10 port 63775, id=111, length=49
Waiting to send Access-Reject to client EZProxy port 63775 - ID: 111
Sending delayed reject for request 0
Sending Access-Reject of id 111 to 192.168.0.10 port 63775
Waking up in 4.9 seconds.
Cleaning up request 0 ID 111 with timestamp +32
>
>> I presume:
>>
>> if (!EAP-Message) {
>> ldap
>> }
>>
>> Fails to set Auth-Type LDAP?
>
> Yes. It *shouldn't*, either. That was a mistake from 1.x.
I have seen the dire warnings about "Don't set Auth-Type = LDAP" so I have not ventured there as I am sure there are dragons.
----------------------
Barry Dean
Principal Programmer/Analyst
Networks Group
Computing Services Department
Tel: 0151 795 9540
-------------- next part --------------
A non-text attachment was scrubbed...
Name: h1_a.png
Type: image/png
Size: 3693 bytes
Desc: h1_a.png
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100513/3f3fd295/attachment.png>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ATT00001.txt
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100513/3f3fd295/attachment.txt>
More information about the Freeradius-Users
mailing list